Subdomain Discovery

Continuing the discussion from our recent blog post on Discovering Subdomains by Shpend Kurtishaj @shpendk , who leads the ASE team at Bugcrowd…

In the post, Shpend provides a list of public resources that help in subdomain discovery:

  • Search engines (Google, Bing, Yahoo, Baidu)
  • - Search for “” and virustotal will provide extensive information in addition to Observed subdomains, which is a list of all subdomains it knows about.
  • - The name says it all. Enter the target domain, hit search, profit!
  • - Sometimes SSL is a goldmine of information. Use this site by searching for “” and it’ll get back with subdomains to you. Easy win.
  • - Not greatbut has some useful information sometimes.
  • - Another to keep an eye on.
  • - Shodan is an infrastuture based spider with an associated information caching database that is made prodominatly for security proffessinoals. It has historical and current data on a large swath of the internet’s servers, including seen-subdomains, server versioning, and much more.

And a list of bruteforce tools:

  • Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.
  • dnscan - a python wordlist-based DNS subdomain scanner.
  • Nmap - Yes it’s a port scanner, but it can bruteforce subdomains too (check nmap scripts)
  • Recon-Ng - The recon-ng framework has a brute_hosts module that allows to bruteforce subdomains.
  • DNSRecon - A powerful DNS enumeration script
  • Fierce - A semi-lightweight enumeration scanner
  • Gobuster - Alternative directory and file busting tool written in Go
  • DNSenum - Offers recursive and threaded subdomain enumeration.
  • AltDNS - offers bruteforcing based on permutations of already found domains

Know of any more tools we missed? Or thoughts on this topic? Please share!


For further epic-ness (not specifically for domains though) i’d read “Open Source Intelligence Techniques” by Micheal Bazzell:

1 Like

Recon-ng is awesome. Besides brute forcing it can search subdomain in Yahoo and Bing (no API key requiered) and get subdomains from SSL certs. Also some time ago author of Recon rewrote brute_hosts so now it can brute subdomains when target main domain has wildcard DNS record. I don’t know any other tool which can do that.

yeah, that’s what my script does. It is auto-run for all those modules with a custom word list for the bruteforcing. The only thing i’d like is if recon-ng handled wildcard better and it was threaded.


i prefer NMAP module DNS-BRUTE with some custom subdomain lists

and certficate databases like and

1 Like

wow :heart_eyes:10000 scanned in 183.99 seconds
let see sub 1000000.lst and if find what I’m looking :scream:
i bet is around 2h

There are tons of ways of discovering subdomains

  • Subscrapping

  • Brute forcing
    And more…
    In fact I found out that there are 20 ways of discovering subdomains
    That was amazing to me
    Same of them discover all others don’t discover offline subdomains

I personally use subdomainfinder oline which uses i guess search engine method.